Best practice to ensure php code can't be seen on shared server?

Forum Moderators: coopster

Message Too Old, No Replies

Best practice to ensure php code can't be seen on shared server?

Wish to hide username/password for mysql call

nysus1

8:00 pm on Aug 9, 2003 (gmt 0)

I wish to place a mysql_connect() function in a secure place on my server to so it can't be read either by Internet users or other users I share my server with who may have shell access. As it's a shared server, I can't modify the php.ini file or place the file outside of the web site directories.

What's the best practice for accomplishing this?

jamesa

8:25 pm on Aug 9, 2003 (gmt 0)

Regarding internet users: if you can't keep it outside the public web directories (preferable) then put it in an .htaccess protected directory.

Regarding shell users: That's a problem, unless the server is set up to jail the shell users. Permissions won't help because the include file must be world-readible since PHP is usually set up as it's own user and won't belong to your group. All you can do is set up a mysql user with the absolute minimum permissions needed to run the scripts, keep backups and cross your fingers.

vincevincevince

11:46 pm on Aug 9, 2003 (gmt 0)

have the password in two parts "partApartB"
store the partA bit on the server
have the partB bit stored on a totally seperate (free?) server, loaded via include("http://..."), from a script which is limited to only return the partB of the password for requests from the IP of your PHP server, using the PHP User Agent, (and using a set referrer).